NoRef.io is a free website/service that you can use to hide the user’s HTTP referer when clicking on hyperlinks you create.

In building NoRef.io, quite a number of performance and privacy considerations went into designing the service, namely:

Goals:

• Fast, really fast: the page should load in less than 100ms
• No server can should be able to see the redirect URL
• Reliable service

So, let’s see how we can accomplish all these goals.

Optimizing Speed

• Very small page size < 5 kb
• Fast load time < 100 ms over typical network
• The service should load with a single HTTP call, keeping all JS and CSS inline (inside one HTML page)
• Service is cacheable by a CDN’s edge network and the users’ web browsers (apply proper cache-control headers)
• Deliver page over gzip (compressed)
• Fast DNS service

So, how fast does it load?

UPDATE: this post doesn’t reflect the performance of the new version of noref.io.

Google Chrome measured it at <80ms. Sweet!

Maintaining Privacy

The goal is to make sure the redirect URLs are not recorded by the server (or any server). To accomplish that

• The page should not load any external Javascript script – in case the external service gets compromised, users’ privacy won’t get compromised
• Require page to be loaded under HTTPS, to prevent eavesdropping or man-in-the-middle attacks
• Place the redirect URL after the # sign in the URL (the redirect is performed by Javascript)

Reliability

The website should be served with redundancy, and cached by the CDN in case the server is unavailable.

For this task, we’ll utilize Cloudflare’s Always Online™ feature.

Web Server <-> CDN (CloudFlare) Edge Network <-> User

Cloudflare will store a copy of your website and serve that to your visitors if your server is ever unreachable.